Having set up a Domino HTTP server for SAML authentication through Active Directory, is there a clever trick for allowing Administrators to bypass the ADFS login, e.g. with a local login page on the Domino server or via another Domino server to fetch the session, or do Administrators need to be added to Active Directory using an account with a matching email address?
As far as I can work out, any web page needing authenticated access throws you at your IDP server, so I am starting to think the Admin IDs need to be in Active Directory, but for security reasons that doesn’t feel right.
Any info thoughts or suggestions welcome!
Subject: Re: SAML and Admin Users
Gary,
The only thing that comes to mind is to have an isolated server with replicas of the same applications and then have that server not configured for SAML authentication. Having said that, why would you not want the admins to be in Active Directory?
Subject: Re: SAML and Admin Users
All the end users are web only. The Admins and Developers have separate Notes IDs just for Admin/Dev stuff, but they also need to log in with these over http to resolve user issues. Active Directory is managed by a different section and a large Helpdesk team have access to change user passwords etc. Since the Admin/Dev accounts have Manager access to everything, for security we would like to separate them out.
I had already floated the idea of a separated Admin server, but management in the development team said no! Apparently they need to access each server. Don’t ask me to explain developers.
I was sort of expecting there to be a ‘local login’ URL to optionally bypass ADFS but apparently not. My other thought was whether the LTPA Token document could be copied to another server so you could have a login server then switch.
Subject: Re: SAMl and Admin Users
Hi
What you can do is to have a “Login Server” and use Web Server Single Sign-on (LTPA Token) to access the other servers under the same dns domain.
IBM Documentation http://www-01.ibm.com/support/knowledgecenter/SSKTMJ_9.0.1/admin/conf_creatingawebssoconfigurationdocument_t.dita
Just add the the new login server in the participating Servers
It is like, accessing https://login.server.com https://login.server.com/ for login and then just switch to your desired participating servers https://other.server.com https://other.server.com/